diff --git a/contrib/epee/include/net/net_helper.h b/contrib/epee/include/net/net_helper.h index bb6bbcc2..f59f94a1 100644 --- a/contrib/epee/include/net/net_helper.h +++ b/contrib/epee/include/net/net_helper.h @@ -48,7 +48,6 @@ #include "misc_helpers.h" //#include "profile_tools.h" #include "../string_tools.h" - #ifndef MAKE_IP #define MAKE_IP( a1, a2, a3, a4 ) (a1|(a2<<8)|(a3<<16)|(a4<<24)) #endif @@ -58,6 +57,37 @@ namespace epee { namespace net_utils { + +#ifdef _WIN32 + // https://stackoverflow.com/questions/40307541 + #include + static void add_windows_root_certs(boost::asio::ssl::context& ctx) noexcept + { + HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT"); + if (hStore == NULL) { + return; + } + + X509_STORE *store = X509_STORE_new(); + PCCERT_CONTEXT pContext = NULL; + while ((pContext = CertEnumCertificatesInStore(hStore, pContext)) != NULL) { + // convert from DER to internal format + X509 *x509 = d2i_X509(NULL, + (const unsigned char **)&pContext->pbCertEncoded, + pContext->cbCertEncoded); + if(x509 != NULL) { + X509_STORE_add_cert(store, x509); + X509_free(x509); + } + } + + CertFreeCertificateContext(pContext); + CertCloseStore(hStore, 0); + + // attach X509_STORE to boost ssl context + SSL_CTX_set_cert_store(ctx.native_handle(), store); + } +#endif template struct socket_backend; @@ -70,11 +100,12 @@ namespace epee { // Create a context that uses the default paths for // finding CA certificates. +#ifdef _WIN32 + add_windows_root_certs(m_ssl_context); +#else m_ssl_context.set_default_verify_paths(); - /*m_socket.set_verify_mode(boost::asio::ssl::verify_peer); - m_socket.set_verify_callback( - boost::bind(&socket_backend::verify_certificate, this, _1, _2));*/ - +#endif + m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer); } /* @@ -101,7 +132,21 @@ namespace epee void set_domain(const std::string& domain_name) { - SSL_set_tlsext_host_name(m_socket.native_handle(), domain_name.c_str()); + SSL* ssl = m_socket.native_handle(); + + SSL_set_tlsext_host_name(ssl, domain_name.c_str()); +#if BOOST_VERSION >= 107300 + m_socket.set_verify_callback(boost::asio::ssl::host_name_verification(domain_name)); +#else + m_socket.set_verify_callback(boost::asio::ssl::rfc2818_verification(domain_name)); +#endif + + X509_VERIFY_PARAM* param = SSL_get0_param(ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if (X509_VERIFY_PARAM_set1_host(param, domain_name.c_str(), 0) != 1) + { + LOG_PRINT_L0("Failed to set expected hostname: " << domain_name); + } } boost::asio::ip::tcp::socket& get_socket() @@ -114,11 +159,27 @@ namespace epee return m_socket; } - void on_after_connect() + bool on_after_connect() { LOG_PRINT_L2("SSL Handshake...."); - m_socket.handshake(boost::asio::ssl::stream_base::client); + m_socket.set_verify_mode(boost::asio::ssl::verify_peer); + + boost::system::error_code ec; + m_socket.handshake(boost::asio::ssl::stream_base::client, ec); + + if (ec) + { + long vr = SSL_get_verify_result(m_socket.native_handle()); + LOG_PRINT_L0("TLS Handshake failed: " << ec.message() << " (verify: " << X509_verify_cert_error_string(vr) << ")"); + ERR_clear_error(); + boost::system::error_code ignored; + m_socket.lowest_layer().shutdown(boost::asio::ip::tcp::socket::shutdown_both, ignored); + m_socket.lowest_layer().close(ignored); + return false; + } + LOG_PRINT_L2("SSL Handshake OK"); + return true; } private: @@ -147,9 +208,9 @@ namespace epee return m_socket; } - void on_after_connect() + bool on_after_connect() { - + return true; } void reset() @@ -182,7 +243,7 @@ namespace epee return m_pbackend->get_stream(); } - void on_after_connect() + bool on_after_connect() { return m_pbackend->on_after_connect(); } @@ -321,13 +382,16 @@ namespace epee { m_io_service.run_one(); } - if (!ec && m_sct_back.get_socket().is_open()) { - m_sct_back.on_after_connect(); - m_connected = true; + if (!m_sct_back.on_after_connect()) + { + return false; + } + + m_connected = true; m_deadline.expires_at(boost::posix_time::pos_infin); - LOG_PRINT_L1("Connected OK: " << addr << ":" << port); + LOG_PRINT_L1("TLS connected OK: " << addr << ":" << port); return true; } else diff --git a/tests/performance_tests/main.cpp b/tests/performance_tests/main.cpp index 521ec083..023c6025 100644 --- a/tests/performance_tests/main.cpp +++ b/tests/performance_tests/main.cpp @@ -74,7 +74,8 @@ void test_plain_wallet() { //std::string res = plain_wallet::init("195.201.107.230", "33340", "C:\\Users\\roky\\home\\", 0); //std::string res = plain_wallet::init("", "", "C:\\Users\\roky\\home\\", 0); - std::string res = plain_wallet::init("https://node.zano.org", "443", "C:\\Users\\roky\\home\\", LOG_LEVEL_2); + // std::string res = plain_wallet::init("https://195.201.107.230", "443", "C:\\git_repos\\zano\\build_msvc2022_64\\src\\Debug\\", LOG_LEVEL_2); + std::string res = plain_wallet::init("https://node.zano.org", "443", "C:\\git_repos\\zano\\build_msvc2022_64\\src\\Debug\\", LOG_LEVEL_2); //std::string res = plain_wallet::init("127.0.0.1", "12111", "C:\\Users\\roky\\home22\\", 0); plain_wallet::configure_object conf = AUTO_VAL_INIT(conf); @@ -228,16 +229,16 @@ void multithread_test_of_get_coinbase_hash_cached() int main(int argc, char** argv) { epee::string_tools::set_module_name_and_folder(argv[0]); - epee::log_space::get_set_log_detalisation_level(true, LOG_LEVEL_2); - epee::log_space::log_singletone::add_logger(LOGGER_CONSOLE, NULL, NULL, LOG_LEVEL_2); + epee::log_space::get_set_log_detalisation_level(true, LOG_LEVEL_3); + epee::log_space::log_singletone::add_logger(LOGGER_CONSOLE, NULL, NULL, LOG_LEVEL_3); //epee::log_space::log_singletone::add_logger(LOGGER_FILE, // epee::log_space::log_singletone::get_default_log_file().c_str(), // epee::log_space::log_singletone::get_default_log_folder().c_str()); - multithread_test_of_get_coinbase_hash_cached(); + //multithread_test_of_get_coinbase_hash_cached(); //test_tx_json_serialization(); //test_base64_serialization(); - //test_plain_wallet(); + test_plain_wallet(); //parse_weird_tx(); //thread_pool_tests();